signsrch

This post is part of a series of posts categorized as “Wiki” that contain basic how-to information. The intent is to create a reference repository for myself, but I’m not selfish so if anyone else can also benefit from it then I’m happy to share the knowledge!

  • OS: Linux/Windows
  • Description: Identify compression, crypto functionality
Helpful Options:
 -p       list the running processes and their modules
 -P PID[] use the process/module identified by its pid or part of
          name/path it accepts also offset and the optionally size
          in hex
 -d FILE  dump the process memory (like -P) in FILE
 -e       consider the input file as an executable (PE/ELF), useful
          to show the rva addresses instead of the file offsets
 -F       as above but returns the address of the first instruction
          that points to the found signature, for example where the
          AES Td0 table is used, something like an automatic "Find
          references" of Ollydbg